Website security

ABSTRACT

Websites are monitored for changes over time. A domain name server resolves a domain name to a single internet protocol address and then performs a reverse resolution for the single internet protocol address. When multiple alias records resolve to the same host name, the domain name server determines the single internet protocol address virtually hosts multiple domain names.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. application Ser. No.12/575,018 filed Oct. 7, 2009 and since issued as U.S. Pat. No.9,172,712, and incorporated herein by reference in its entirety.

FIELD OF THE INVENTION

The present invention relates to website security, and more particularlyto a system and method for monitoring websites for unauthorizedactivity.

BACKGROUND OF THE INVENTION

With the emergence of the World Wide Web (WWW), the use and utility ofwebsites and web pages to hold and deliver content has defined theInternet to a large population of the world. This technology has beenembraced not only on the Internet, but also within enterprise intranetnetworks. Many modern computers and network-attached devices (printers,routers, switches, etc.) can and often do host websites and delivercontent via associated web pages. Many businesses are challenged toidentify the myriad of web-enabled systems and services within theirinternal networking space. Additionally, it is very difficult to managethe content and format of both internal and external-facing websites.

Enterprise managers are challenged as to how to manage and identify theexplosion of approved websites against the possibility of roguewebsites, and/or defaced websites, within the business' internet and/orintranet presence.

SUMMARY OF THE INVENTION

An exemplary system provides automated tools that support the discoveryof web servers, including virtual web hosting servers, within theenterprise. The exemplary system further captures images of web pageshosted on those websites. After capturing the web pages, the web pagesmay be converted into thumbnail images, also referred to herein asthumbnails, thumbshots, or snapshots. These thumbnails may then bevisually reviewed by a user in any number of ways, including for examplein a streaming tape or a hierarchical tree format.

An exemplary web thumbnail security system, also referred to herein as aweb thumbnail system, may be adapted to find and capture web pageimages, and may thereby provide the user with a unique way to visuallyreview websites and web page content found in an enterprise network.With the resulting thumbnail images, the user may be able to review webpages and detect anomalous or questionable content.

An exemplary system may be used to: 1) identify and catalog the serversand systems in the network that are running web services; 2) locatewebsites and pages with missing or broken links; 3) locate websites andpages that are not using approved formats; 4) detect rogue websites; 5)detect unsecured websites such as a network switch or router; 6) locateunsecured sensitive content; 7) identify web services running onunapproved systems; 8) detect inappropriate redirections to otherwebsites; 9) detect defaced pages; and 10) detect pages and websiteswith possible virus or malware infections.

The exemplary system may be configured to capture the web pages of aknown website on a regular basis to monitor for unplanned orinappropriate changes to the web pages.

A method for monitoring websites is provided that includes, among otherthings, downloading a first snapshot of a web page taken at a firsttime, and downloading a second snapshot of the web page taken at asecond time later than the first time. The method also includes thefeature of enabling a comparison of the first snapshot and the secondsnapshot. Additionally, and optionally, the system can also capture thedetailed content of the web site including text, images and associateddetailed information available on that site.

A system for monitoring websites is provided that includes means fordownloading a first snapshot of a web page taken at a first time, andmeans for downloading a second snapshot of the web page taken at asecond time later than the first time. The system also includes meansfor enabling a comparison of the first snapshot and the second snapshot.Additionally, and optionally, the system can also capture the detailedcontent of the web site at time 1, and then again at time 2 and comparethe content changes.

A computer-readable recording medium having recorded thereon anexecutable program is provided. The program when executed causes aprocessor to perform a method for monitoring websites.

These and other advantages will be apparent to those of ordinary skillin the art by reference to the following detailed description and theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a system in accordance with anembodiment;

FIG. 2 is a schematic diagram of application modules and data inaccordance with an embodiment;

FIG. 3 is a schematic diagram of a system and application modules inaccordance with an embodiment;

FIG. 4 is a flow chart illustrating a method in accordance with anembodiment;

FIG. 5 is a schematic diagram of a system in accordance with anembodiment;

FIG. 6 is a schematic diagram of a system in accordance with anembodiment;

FIG. 7 is a schematic diagram of a system in accordance with anembodiment;

FIG. 8 is a schematic diagram of a system in accordance with anembodiment;

FIG. 9 is a screen shot of a display in accordance with an embodiment;

FIG. 10 is a screen shot of a display in accordance with an embodiment;

FIG. 11 is a schematic diagram of a system in accordance with anembodiment; and

FIG. 12 is a block diagram of a computer in accordance with anembodiment.

DETAIL DESCRIPTION

A web thumbnail system may provide an automated system to aid indiscovering websites and capturing the image content of those websites.These thumbnail images are visually reviewed, using one of the supplieddisplay methods or another alternative method. In this manner, thesystem aids in reviewing the content of these websites and aids in theunderstanding of the web environments within a business or enterprise.

FIG. 1 illustrates an exemplary embodiment. Web track data collectionsystem 100 (also referred to herein as system 100) may operate tocollect data about websites and web pages presented by a business orenterprise. System 100 may be networked to servers 120, 121, 122 and123. Each of servers 120, 121, 122 and 123 may have one or more websiteswhich are monitored by system 100. Additionally, system 100 may monitoradditional servers, either part of the same enterprise or business,associated with a sub-division of the enterprise or business, orassociated with another enterprise or business. System 100 may connectto servers 120, 121, 122, 123 via an internet or intranet. Web tracksecurity information tool set 110 may connect to system 100 to organizeand analyze the data collected by web track data collection system 100.Web track security information tool set 110 may include keyboard 112 anddisplay 111 for use by an operator of web track information tool set110. System 100 may be integrated with a web tracking system, forinstance a web tracking system that provides a web crawler and webcontent download and management capability.

FIG. 2 illustrates a functional diagram of an exemplary embodiment. Data200, which may be collected by system 100, may be accessed by varioushardware or software elements. Software that accesses data 200 mayinclude modules and/or applications which may run on web track securityinformation tool set 110. Website crawler and data consolidation 210 maydirect system 100 in accessing servers 120, 121, 122, 123. Websitemining 220 may control the downloading of web pages and/or snapshots ofwebsites. Sophisticated search 230 may operate to enable a user toaccess data 200 using various Boolean connectors in conjunction withsearch terms selected by the user. Data visualization 240 may operate toanalyze and/or display data 200 and/or metadata in a manner that iseasily reviewed and analyzed by a user using display 111. Anomalydetection 250 may analyze data 200 to detect anomalous data and notify auser of web track security information tool set 110. Web differencing216 may analyze data 200, and in particular may compare two snapshots ofa web page taken at different points in time and identify and/orhighlight the differences between the snapshots. Web differencing 260may also present the identified differences to a user in a report and/orin a highlighted manner using the content information. Alternatively,the user may visually examine the two or more snapshot images to observea change.

FIG. 3 illustrates another exemplary embodiment. In FIG. 3, system 100monitors websites 300, which may be running on servers 120, 121, 122,and 123, or on other servers. Web track data collection system 100 iscoupled to database 310, which includes structured website data. Featuredetection 320 may be a module within system 100, or may alternatively berunning on web track information tool set 110 of FIG. 1. Featuredetection 320 may operate to track features of monitored websites.Features can be thought of as keywords or phrases that the user isinterested in monitoring. If a feature is detected, this item is markedand can be used for alarming or trending purposes. Search engine 330 maybe a module within system 100, or may alternatively be running on webtrack information tool set 110 of FIG. 1, and may access database 310for searching functions. Search engine 330 may be an application,module, or software running on a personal computer, server, or othernetwork device. Search engine 330 in FIG. 3 may operate to runsophisticated search 230 shown in FIG. 2. Trending 340 may be asoftware, application, or module running on a computer or server and mayoperate to identify trends in websites and/or web pages. In particular,web trending 340 may operate to provide a frequency histogram showing adocument frequency or changes in websites and/or web pages. Trending 340may provide the function of anomaly detection 250 shown in FIG. 2.Visual analysis 350 may operate to provide illustrations of data andchanges in websites and web pages. Visual analysis 350 may operate toprovide the function of data visualization 240 shown in FIG. 2.Differencing 26 may identify and/or highlight differences between webpages represented by webshots that are downloaded at different times orthough the use of detailed content information. Differencing 360 mayoperate to perform the functionality of web differencing 260 shown inFIG. 2. Statistical processing 370 may operate to illustrate statisticalinformation relating to the data included in database 310. Statisticalprocessing 370 may operate to provide the functionality of database 310.Statistical processing 370 may operate to provide the functionality ofwebsite mining 220 shown in FIG. 2.

A web thumbnails system may be implemented in a modular format. Method400 is shown in FIG. 4 including various sub-steps. Each sub-step may beoptional in method 400, or may be performed in an alternative order. Theflow in method 400 starts at network report scanning 410, which mayidentify available ports in servers operating on a business orenterprise intranet. Network report scanning 410 may include scanning toidentify ports open to a network, and identifying IP addresses ofcomputers accessible via the ports to identify web pages. Network reportscanning 410 may include identifying at least one of a host name and adomain name associated with an identified IP address. A networking portscanning module may provide an optional web services discovery interfaceto discover web servers running on a network. Port scanning applicationsmay be configured to send service discovery packets to the destinationnetwork looking for responses on service ports. For web services, thesemay include TCP ports 80, 8080 and 443. However, the configuration ofthe port scanning module is flexible and can be extended or reducedbased on the networks being scanned.

The results of a discovery scan may provide a listing of IP addressesthat responded to the configured TCP port requests. The resultinglisting of IP addresses captures the candidate systems for furtherinvestigation and may be passed to the next module. Network reportscanning 410 may be optional in system 100, which alternatively can be“seeded” with a listing of IP addresses, hostnames or website addresses,if discovery is not required or desired.

A web thumbnails system may optionally scan a defined network/subnetworklooking for systems with open web ports. This type of scanning couldimpact firewalls and other systems. An Intrusion Detection System orother security monitor may flag the scanning activity, and therefore itmay be advisable for an operator of a web thumbnails system to inform acyber security operations team of planned scanning activities.

FIG. 5 illustrates a functionality of network port scanning 410 shown inFIG. 4. In FIG. 5, system 100 connects to enterprise intranet 500, whichincludes servers 510, 520, 530, 540 and 550. Web track data collectionsystem 100 may operate to perform the operation of network port scanning410 to identify systems within enterprise intranet 500 that have openweb ports. Web track data collection system 100 may identify web ports80, 8080, and 443, for example. Web track data collection system 100 mayidentify server 540 as having open port 545, and also may identifyserver 550 as having open port 555.

Specialized domain name system 420 (also referred to as Specialized DNS420) of FIG. 4 may operate to access a computer and determine if acomputer is serving or providing multiple websites. Two types ofIP-to-hostname resolutions may be used. The first is use of standard DNSprocessing for use with external (non-enterprise) site processing. Thesecond is for use with internal enterprise site processing, and may berequired to discover “virtual” web hosting sites.

In standard DNS processing, the IP addresses provided from a networkscanning module are processed through a domain name system in an effortto return a hostname or a domain name. This may improve the results of alater web page rendering request. Use of an IP address in the webrequest may provide a resulting web page. Use of the IP addressescorresponding hostname and/or domain name may provide better results inthe rendering stage as the subject website will pass the host attributealong to the destined web site, which in the case of virtual web hostingsites will allow it to display the named web site home page. If the DNSquery cannot return a hostname and/or domain name, the system mayproceed with the rendering request using the IP address. Standard DNSprocessing does not require a specialized DNS system.

Specialized DNS 420 may discover virtual web hosting sites within anenterprise. Virtual web hosting may enable multiple websites to besupported on a single IP address. To access one of the multiple websitesat a single IP address, the web request may need to provide the specificURL or domain name in the host field. The IP address or the hostname maynot be used to locate these websites because the virtual hosting systemmay not know which website is being requested. If the virtual webhosting system is configured with a default redirection, that singlewebsite will be rendered, and the remaining websites on that system maynot be found. If the virtual web hosting system does not have a defaultredirection in place, no web pages will be returned.

With standard DNS processing, there may be no easy method to identifyall domain names associated with a single IP address (supplied from thenetwork port scanning module). Accordingly, specialized DNS 420 may beused to determine all domain names (or aliases) associated with an IPaddress, and system 100 may use this list of aliases during therendering process.

FIG. 6 illustrates the function of specialized DNS 420 of FIG. 4. Webtrack data collection system 100 may identify servers or computershaving open ports as shown in FIG. 5. In particular, system 100 mayidentify server 540 having open port 545 and server 550 having open port555 (in this reference open ports represent a web server port).Additionally, system 100 may identify server 600 having an open port605. System 100 may also identify that server 600 is operating topresent multiple web sites. System 100 may exercise a DNS lookup of thisIP (internet protocol) to acquire a host name. System 100 may use thehost name to query for alias records. System 100 may also reverse theDNS process to identify alias host names which effectively work as URLaddresses. For example, system 100 may identify that server 600 isoperating to present virtual server 610 having a virtual web site 615,virtual server 620 having virtual web site 625, virtual server 630having virtual server 635 and virtual server 640 having virtual web site645. In this manner, server 600 may present four virtual servers, eachvirtual server having a separate web site defined with different aliasDNS names which accordingly can present a different web page to theinternet or intranet. System 100 operating specialized DNS 420 mayidentify all of the websites and web pages operating on server 600. Ifthe DNS query cannot return a hostname and/or domain name, the systemmay proceed with the rendering request using the IP address.

Web page referral mining 430 of FIG. 4 may operate to identifyhyperlinks on a web page and/or to download a web page which isidentified by a hyperlink. Web page referral mining 430, also referredto herein as a hyperlink identification engine, may detect website pagesthat are “linked” to any given page. For example, web page referralmining 430 may start at a home page of a particular website and scanthat web page to identify any “hyperlinks” or referral pages found onthat homepage. System 100 may add these referral page addresses into thecollection process.

System 100 may define this mining in terms of layers. For example, alayer 1 scan may only render the home pages and will not render anyhyperlinks. A layer 2 scan may locate the homepages and may also renderany hyperlink pages that were included on the homepage. A layer 3 scanmay continue to track these links in an expanding tree. A user of thesystem may set the mining layer as a configuration option prior to theexecution of this system.

Web page referral mining 430 may identify not only the pages containedwithin the website, but also show what other websites are available viathese hyperlinks. Web page referral mining 430 may execute a hyperlinkon the web page to upload a hyperlinked web page, and download asnapshot of the hyperlinked web page. This may enable detection ofinappropriate links connected to the enterprise sites. Web page referralmining 430 may track what links are available at what layers in thetree. The system may also include controls to suppress external websiterendering if desired by the user.

FIG. 7 illustrates the function of web page referral mining 430. In FIG.7, system 100 may automatically extract hyperlinked references. Inparticular, system 100 may identify and download a snapshot of homepage710, and may identify hyperlinks on homepage 710. System 100 mayidentify web pages 721, 722, and 723 in web page layer 720 comprised ofweb pages hyperlinked to homepage 710. System 100 may also identify webpages 731 and 732, in web page layer 730, that are hyperlinked to webpage 721. System 100 may maintain all of the identified web pages in atree layer model in a memory, thereby illustrating the hierarchicalnature of the website. System 100 may also capture externally hosted webpages.

Web page rendering 440 of FIG. 4 may operate to create an image of awebsite or web page, which may be readily downloaded or converted into athumbnail and downloaded. The web thumbnails system may automatically goto each of the listed candidate websites (identified by IP address,hostname, listing of virtual hosting domain names, or manually definedURL's) and capture the page displayed at that address. The renderingengine is analogous to a user pressing the print screen key on theirpersonal computer with the web browser set to display in full screen.The rendering engine will capture this screen image after a userconfigurable timeout. The resulting images can include: 1) the web pageimage; 2) a web page status screen; 3) a blank screen; 4) overlayscreens such as popup windows; and 5) anti-virus and/or malwaredetection messages appearing on a top edge of a web page. The anti-virusand/or malware detection message may indicate that the processed websitehas triggered the detection of some malware based on the antivirussystem running on the web thumbnails system. The web page images maythen be passed to the next component in this architecture.

FIG. 8 further illustrates web page rendering 440, which may also bereferred to as a website collection function. System 100 may connect toenterprise intranet 500, which includes servers 510, 520, 530, 540 and550. Server 540 may have an open port 545, and server 550 may have openport 555. System 100 may include list 800 of authorized websites and/orweb pages. System 100 may include an automated tool using a standard webbrowser to contact the destination web server pages in list 800. System100 may download each identified web page and capture an image of thepage, also referred to herein as a snapshot or webshot. System 100 maycapture web page 810 and web page 820. System 100 may also handle pop-upconditions such as certificate errors, and may be used to enable a deltaprocessing or differencing function. System 100 may take a webshot of awebsite or web page at an initial time as a baseline.

Image conversion/scaling 450 of FIG. 4 may convert an image to an easilydownloaded file type or format, and also may scale an image to athumbnail or other appropriate size. Image conversion/scaling 450 mayhave user configurable options to set the size of the image.

Data repository 460 of FIG. 4 may save data including snapshots,thumbnail snapshots and relational data between different web pages.Thumbnail images may be retained in tree file structure, or any otherappropriate file management system. Data repository 460 may utilize adatabase, and/or may provide additional features such as annotations andalternative access methods. A database retention of thumbnail images mayutilize a relational database structure enabling the collection of userannotations and notes.

Visualization tools 470 of FIG. 4 may operate to display data and/orsnapshots of web pages for evaluation by an operator. In particular,visualization tools 470 may display a series of snapshots of differentweb pages of an enterprise or business in either a tree formatillustrating the hierarchy of the web pages or in a streaming tapeformat in which the snapshots are scrolled across the screen, forexample from left to right.

The method may include downloading another snapshot of the web pagetaken at another time, and enabling a comparison of the later snapshotwith an earlier snapshot. The method may include identifying adifference between the first and second snapshots, and displaying thedifference in a highlighted manner. The method may include storing afirst text associated with the first snapshot of the web page, andstoring a second text associated with the second snapshot of the webpage. The method may further include identifying the difference when thefirst text differs from the second text. In the method, the textassociated with the web page may be metadata associated with the webpage. The method may include: locating missing, broken, or misdirectinglinks: detecting unapproved, defaced, or unsecured web pages; ordetecting web pages with malware or viruses.

In the streaming tape format, the images are displayed in a ticker tapelike display with the images automatically scrolling across a web page.There may be controls for adjusting the speed of the scrolling andallowing the user to pause or resume the scroll. Clicking on an imagemay launch a new web browser window directly to that web page inreal-time.

FIG. 9 illustrates a streaming tape format, also referred to herein asan image tape method. System 100 may execute visualization tool 470 byan image tape method. For instance, system 100 may display image 900which is an image tape, and which may provide a ticker tape-likedisplay. Image 900 may automatically scroll web page images 920, 930 and940 (also referred to herein as webshots) in a direction 910 across thescreen. Image 900 may include a direct hyperlink to the live web page.For instance, image 900 may enable a user to select webshot 920 with amouse or other interface and open a browser showing the web page fromwhich webshot 920 was taken. In this manner, an operator or securityspecialist may view the automatic scrolling of webshots 920, 930, and940. If the user or security specialist identifies an anomaly in any ofthe webshots, the security specialist may select the identified webshotwith a mouse and open a browser to further evaluate the current statusof the web page.

FIG. 10 illustrates an alternative exemplary embodiment of visualizationtool 470 using a tree format. The tree format may show the image in arow and column view. The webshots are presented in hierarchicalstructure with parent pages shown first and child pages available as theuser drills down. The number of drill-down levels may be controlled byweb page referral mining 430. A tree format view may display all webpages seen at a particular level. Clicking on thumbnails may launch anew web browser directly to that web page in real-time. In FIG. 10,image 1000 includes an image of webshot 1010. Webshot 1010 mayillustrate a snapshot of a homepage or other web page having one or morehyperlinks embedded therein. A user or security specialist may selectwebshot 1010 or may just activate a drill down function to open image1020. Image 1020 may open while simultaneously closing image 1000, oralternatively image 1020 may open in addition to image 1000 in a layeredor tiled format. Image 1020 may include webshots 1030, 1040, 1050, etc.Webshots 1030, 1040, and 1050 may be webshots of web pages that arehyperlinked to the web page shown in webshot 1010. In this manner, auser or security specialist may be able to recognize and/or use thehierarchical or tree structure of a website. In the tabulated treeformat of FIG. 10, a row and column image view may be displayed and thedrill down level structure of a website may be easily shown.Additionally, each of webshots 1010, 1030, 1040 and 1050 may include ahyperlink to the active web page illustrated in the snapshot, asdiscussed above in regard to FIG. 9.

Network routes and firewall configurations may need to allow for normalweb browsing for the web thumbnails system to operate. No additionalspecial ports or routing support may be required. The web thumbnailssystem may record execution statistics in log files.

Geographically distributed web thumbnail hosts may provide improvedperformance by reducing network latency. In some sub-networks there maybe virtually no web services, while other networks may have asignificant amount. Network latency delays may vary depending on thewide area network topology and bandwidth. The performance of each webserver also may vary. An option may be provided to configure thethumbnail process to build in a delay for slow networks and servers, aswell as to handle SSL (Secure Sockets Layer) certificate acceptanceprocessing. This type of processing uses automation to detect promptssuch as pop-up messages or intervening screens. Once detected, theautomation will select the correct button or hyperlink to “accept” thewarning message allowing the browser to continue to the web site orpage.

FIG. 11 illustrates another exemplary embodiment. In FIG. 11, managersystem 1100 controls system 100, and also controls agent system 1110.Agent system 1110 operates to monitor intranet 1120. Alternatively,intranet 1120 may represent a subset of the intranet, or an externallyoperated website. Manager system 1100 may include a human interface1130, which may in turn include a computer, server, display, and/orkeyboard. Manager system 1100 may also include a server 1140, which mayoperate as a database or other memory storage.

The method may be performed by a plurality of client servers. Largescale captures can be optimized through the use of multiple collectionmachines. Virtual hosts may also be utilized in this implementationproviding significant associated cost benefits. A thumbnails processingsystem may use any appropriate operating system. A thumbnail processingsystem may be deployed on a physical system or on a virtual system(e.g., VMware). The web thumbnail system may logically bind to theprimary display screen of that system during its execution. Accordingly,concurrency is achieved though the use of multiple collection serversrunning in parallel. Serialized jobs queues can also be implementedbased on scheduled collection time windows or semaphore locking. Thescheduled collection allows for a web site to be automatically processedat a predetermined day and time. The use of semaphore is used to ensurethumbnail job 1 to be fully completed prior to moving on to thumbnailjob 2 which allows more effective use of the web thumbnails collectionhardware.

A graphical user interface (GUI) to manage the setup and execution ofthe web thumbnails collection jobs may enable all configuration options,and may manage the collection schedule. The GUI may also controlmultiple collector machines or agents. An alternative GUI for a webthumbnails system may utilize Flash programming.

FIG. 12 is a high level block diagram of a computer in accordance withan embodiment. The computer 1200 can, for example, operate as any of theentities in FIG. 1, including web track data collection system 100,servers 120, 121, 122 and 123, and web track security information toolset 110. Additionally, computer 1200 can perform the steps describedabove (e.g., with respect to FIG. 4). Computer 1200 contains processor1210 which controls the operation of the computer by executing computerprogram instructions which define such operation, and which may bestored on a computer-readable recording medium. The computer programinstructions may be stored in storage 1220 (e.g., a magnetic disk, adatabase) and loaded into memory 1230 when execution of the computerprogram instructions is desired. Thus, the computer operation will bedefined by computer program instructions stored in memory 1230 and/orstorage 1220 and computer 1200 will be controlled by processor 1210executing the computer program instructions. Computer 1200 also includesone or more network interfaces 1240 for communicating with otherdevices, for example other computers, servers, or websites. Networkinterface 1240 may, for example, be a local network, a wireless network,an intranet, or the Internet. Computer 1200 also includes input/output1250, which represents devices which allow for user interaction with thecomputer 1200 (e.g., display, keyboard, mouse, speakers, buttons,webcams, etc.). One skilled in the art will recognize that animplementation of an actual computer will contain other components aswell, and that FIG. 12 is a high level representation of some of thecomponents of such a computer for illustrative purposes.

The foregoing Detailed Description is to be understood as being in everyrespect illustrative and exemplary, but not restrictive, and the scopeof the invention disclosed herein is not to be determined from theDetailed Description, but rather from the claims as interpretedaccording to the full breadth permitted by the patent laws. It is to beunderstood that the embodiments shown and described herein are onlyillustrative of the principles of the present invention and that variousmodifications may be implemented by those skilled in the art withoutdeparting from the scope and spirit of the invention.

The invention claimed is:
 1. A method, comprising: identifying, by adomain name server, a port open to a communications network;identifying, by the domain name server, a single internet protocoladdress associated with another server that is accessible via the portopen to the communications network; performing, by the domain nameserver, a domain name resolution that resolves the single internetprotocol address to a hostname; requerying, by the domain name server,the domain name resolution for the hostname; retrieving, by the domainname server, multiple alias records having the domain name resolutionwith the hostname; determining, by the domain name server, the singleinternet protocol address associated with the another server that isaccessible via the open port virtually hosts multiple domain names inresponse to the multiple alias records having the domain name resolutionwith the hostname; downloading, by the domain name server at a firsttime, web pages associated with the multiple domain names; generating,by the domain name server, first thumbnail images of the web pagesdownloaded at the first time; downloading, by the domain name server ata later second time, the web pages associated with the multiple domainnames; generating, by the domain name server, second thumbnail images ofthe web pages downloaded at the later second time; comparing, by thedomain name server, the first thumbnail images to the second thumbnailimages; determining, by the domain name server, an image differencebetween corresponding ones of the first thumbnail images and the secondthumbnail images; and processing, by the domain name system, the imagedifference for display.
 2. The method of claim 1, further comprisingstoring an entry in an electronic database that electronicallyassociates filenames with the first thumbnail images.
 3. The method ofclaim 1, further comprising determining a textual difference between anyone of the first thumbnail images and a corresponding one of the secondthumbnail images.
 4. The method of claim 3, further comprising visuallyhighlighting the textual difference.
 5. A system comprising: aprocessor; and a memory device, the memory device storing code, the codewhen executed causing the processor to perform operations, theoperations comprising: identifying a port open to a communicationsnetwork; identifying a single internet protocol address associated withanother server that is accessible via the port open to thecommunications network; performing a domain name resolution thatresolves the single internet protocol address to a hostname; requeryingthe domain name resolution for the hostname; retrieving multiple aliasrecords having the domain name resolution with the hostname; determiningthe single internet protocol address associated with the another serverthat is accessible via the open port virtually hosts multiple domainnames in response to the multiple alias records having the domain nameresolution with the hostname; downloading web pages associated with themultiple domain names; generating first thumbnail images of the webpages; redownloading the web pages associated with the multiple domainnames at a later time; generating second thumbnail images of the webpages downloaded at the later time; comparing the first thumbnail imagesto the second thumbnail images; determining an image difference betweencorresponding ones of the first thumbnail images and the secondthumbnail images; and processing the image difference for display. 6.The system of claim 5, wherein the operations further comprise storingan entry in an electronic database that electronically associatesfilenames with the first thumbnail images and times of the downloadingof the web page.
 7. The system of claim 5, wherein the operationsfurther comprise determining a textual difference between one of thefirst thumbnail images and a corresponding one of the second thumbnailimages.
 8. The system of claim 7, wherein the operations furthercomprise visually highlighting the textual difference.
 9. A memorydevice storing instructions that when executed causes a processor toperform operations, the operations comprising: identifying, by a domainname server, a port open to a communications network; identifying, bythe domain name server, a single internet protocol address associatedwith a different server, the different server accessible via the portopen to the communications network; performing, by the domain nameserver, a domain name resolution that resolves the single internetprotocol address to a hostname; requerying, by the domain name server,the domain name resolution for the hostname; retrieving, by the domainname server, multiple alias records having the domain name resolutionwith the hostname; determining, by the domain name server, the singleinternet protocol address associated with the different server that isaccessible via the port open virtually hosts multiple domain names inresponse to the multiple alias records having the domain name resolutionwith the hostname; identifying, by the domain name server, web pagesassociated with each one of the multiple domain names virtually hostedby the another server; downloading, by the domain name server, each oneof the web pages associated with each one of the multiple domain namesat a first time; generating, by the domain name server, first thumbnailimages of the each one of the web pages; downloading, by the domain nameserver, the each one of the web pages associated with each one of themultiple domain names at a second time later than the first time;generating, by the domain name server, second thumbnail images of theeach one of the web pages at the second time; comparing, by the domainname server, the first thumbnail images to the second thumbnail images;determining, by the domain name server, an image difference betweencorresponding ones of the first thumbnail images and the secondthumbnail images; and processing, by the domain name system, the imagedifference for the display.
 10. The memory device of claim 9, whereinthe operations further comprise storing electronic associations in anelectronic database between filenames associated with the firstthumbnail images and the first time.
 11. The memory device of claim 9,wherein the operations further comprise storing electronic associationsin an electronic database between filenames associated with the secondthumbnail images and the second time.
 12. The memory device of claim 9,wherein the operations further comprise determining a textual differencebetween any one of the first thumbnail images and a corresponding one ofthe second thumbnail images.
 13. The memory device of claim 12, whereinthe operations further comprise visually highlighting the textualdifference.
 14. The memory device of claim 9, wherein the operationsfurther comprise identifying all internet protocol addresses that areaccessible via the port open to the communications network.